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Abstract. Randomness extraction is of fundamental importance for 
information-theoretic cryptography. It allows to transform a raw key 
about which an attacker has some limited knowledge into a fully se- 
cure random key, on which the attacker has essentially no information. 
Up to date, only very few randomness-extraction techniques are known 
to work against an attacker holding quantum information on the raw 
key. This is very much in contrast to the classical (non-quantum) set- 
ting, which is much better understood and for which a vast amount of 
different techniques are known and proven to work. 

We prove a new randomness-extraction technique, which is known to 
work in the classical setting, to be secure against a quantum attacker as 
well. Randomness extraction is done by xor'ing a so-called 5-biased mask 
to the raw key. Our result allows to extend the classical applications of 
this extractor to the quantum setting. We discuss the following two ap- 
plications. We show how to encrypt a long message with a short key, 
information-theoretically secure against a quantum attacker, provided 
that the attacker has enough quantum uncertainty on the message. This 
generalizes the concept of entropically-secure encryption to the case of 
a quantum attacker. As second application, we show how to do error- 
correction without leaking partial information to a quantum attacker. 
Such a technique is useful in settings where the raw key may contain er- 
rors, since standard error-correction techniques may provide the attacker 
with information on, say, a secret key that was used to obtain the raw 
key. 



1 Introduction 

Randomness extraction allows to transform a raw key X about which an attacker 
has some limited knowledge into a fully secure random key S. It is required that 
the attacker has essentially no information on the resulting random key S, no 
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matter what kind of information he has about the raw key X, as long as his 
uncertainty on X is lower bounded in terms of a suitable entropy measure. One 
distinguishes between extractors which use a private seed (preferably as small 
as possible) |29j . and, what is nowadays called strong extractors, which only use 
public coins [15121) . In the context of cryptography, the latter kind of random- 
ness extraction is also known as privacy amplification [5] . Randomness-extraction 
techniques play an important role in various areas of theoretical computer sci- 
ence. In cryptography, they are at the core of many constructions in information- 
theoretic cryptography, but they also proved to be useful in the computational 
setting. As such, there is a huge amount of literature on randomness extraction, 
and there exist various techniques which are optimized with respect to different 
needs; we refer to Shaltiel's survey [53] for an informative overview on classical 
and recent results. 

Most of these techniques, however, are only guaranteed to work in a non- 
quantum setting, where information is formalized by means of classical infor- 
mation theory. In a quantum setting, where the attacker's information is given 
by a quantum state, our current understanding is much more deflating. Renner 
and Konig [23] have shown that privacy amplification via universal hashing is 
secure against quantum adversaries. And, Konig and Terhal |18j showed secu- 
rity against quantum attackers for certain extractors, namely for one-bit-output 
strong extractors, as well as for strong extractors which work by extracting bit 
wise via one-bit-output strong extractors. Concurrent to our work, Smith has 
shown recently that Renner and Konig's result generalizes to aZmosi-universal 
hashing, i.e., that Srinivasan-Zuckerman extractors remain secure against quan- 
tum adversaries |27j . On the negative side, Gavinsky et al. recently showed that 
there exist (strong) extractors that are secure against classical attackers, but 
which become completely insecure against quantum attackers [13J . Hence, it is 
not only a matter of lack of proof, but in fact classical extractors may turn 
insecure when considering quantum attackers. 

We prove a new randomness-extraction technique to be secure against a 
quantum attacker. It is based on the concept of small-biased spaces, see e.g. [20] . 
Concretely, randomness extraction is done by xor'ing the raw key X £ {0, 1}™ 
with a 5-biased mask A £ {0, 1}", chosen privately according to some specific 
distribution, where the distribution may be chosen publicly from some family 
of distributions. Roughly, A (or actually the family of distributions) is 5-biased, 
if any non-trivial parity of A can only be guessed with advantage S. We prove 
that if A is <5-biased, then the bit-wise xor X A is e-close to random and 
independent of the attacker's quantum state with e = 8 ■ 2("~*)/ 2 , where t is the 
attacker's quantum collision-entropy in X. Thus, writing S = 2~ K , the extracted 
key X © A is essentially random as long as 2k is significantly larger than n — t. 
Note that in its generic form, this randomness extractor uses public coins, namely 
the choice of the distribution, and a private seed, the sampling of A according 
to the chosen distribution. Specific instantiations though, may lead to standard 
extractors with no public coins (as in Section[5]), or to a strong extractor with no 
private seed (as in Section[6]). The proof of the new randomness-extraction result 
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combines quantum-information-theoretic techniques developed by Renner 22 23J 
and techniques from Fourier analysis, similar to though slightly more involved 
than those used in [2J. 

We would like to point out that the particular extractor we consider, (5-biased 
masking, is well known to be secure against non-quantum attackers. Indeed, 
classical security was shown by Dodis and Smith, who also suggested useful 
applications [11112) . Thus, our main contribution is the security analysis in the 
presence of a quantum attacker. Our positive result not only contributes to the 
general problem of the security of extractors against quantum attacks, but it 
is particularly useful in combination with the classical applications of ^-biased 
masking where it leads to interesting new results in the quantum setting. We 
discuss these applications and the arising new results below. 

The first application is entropically secure encryption [25112] . An encryption 
scheme is entropically secure if the ciphertext gives essentially no information 
away on the plaintext (in an information-theoretic sense) , provided that the at- 
tacker's a priori information on the plaintext is limited. Entropic security allows 
to overcome Shannon's pessimistic result on the size of the key for information- 
theoretically secure encryption, in that a key of size essentially I ~ n — t suffices 
to encrypt a plaintext of size n which has t bits of entropy given the attacker's 
a priori information. This key size was known to suffice for a non-quantum ad- 
versary [25I12J . By our analysis, this result carries over to the setting where 
we allow the attacker to store information as quantum states: a key of size es- 
sentially i ~ n — t suffices to encrypt a plaintext of size n which has t bits of 
(min- or collision-) entropy given the attacker's quantum information about the 
plaintext. 

Note that entropic security in a quantum setting was also considered explic- 
itly in [8] and implicitly for the task of approximate quantum encryption |2|16|10j . 
However, all these results are on encrypting a quantum message into a quantum 
ciphertext on which the attacker has limited classical information (or none at 
all), whereas we consider encrypting a classical message into a classical cipher- 
text on which the attacker has limited quantum information. Thus, our result in 
quantum entropic security is in that sense orthogonal. As a matter of fact, the re- 
sults in [211611018] about randomizing quantum states can also be appreciated as 
extracting "quantum randomness" from a quantum state on which the attacker 
has limited classical information. Again, this is orthogonal to our randomness- 
extraction result which allows to extract classical randomness from a classical 
string on which the attacker has limited quantum information. In independent 
recent work, Desrosiers and Dupuis showed that one can combine techniques to 
get the best out of both: they showed that (5-biased masking (as used in [2]) 
allows to extract "quantum randomness" from a quantum state on which the 
attacker has limited quantum information. This in particular implies our result. 

The second application is in the context of private error-correction. Consider 
a situation where the raw key X is obtained by Alice and Bob with the help of 
some (short) common secret key K, and where the attacker Eve, who does not 
know K, has high entropy on X. Assume that, due to noise, Bob's version of the 
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raw key X' is slightly different from Alice's version X. Such a situation may for 
instance occur in the bounded-storage model or in a quantum-key-distribution 
setting. Since Alice and Bob have different versions of the raw key, they first 
need to correct the errors before they can extract (by means of randomness 
extraction) a secure key S from X. However, since X and X' depend on K, 
standard techniques for correcting the errors between X and X' leak information 
not only on X but also on K to Eve, which prohibits that Alice and Bob can re- 
use if in a future session. In the case of a non-quantum attacker, Dodis and Smith 
showed how to do error-correction in such a setting without leaking information 
on K to Eve [11] . and thus that K can be safely re- used an unlimited number 
of times. We show how our randomness-extraction result gives rise to a similar 
way of doing error correction without leaking information on K, even if Eve 
holds her partial information on X in a quantum state. Such a private-error- 
correction technique is a useful tool in various information-theoretic settings 
with a quantum adversary. Very specifically, this technique has already been 
used as essential ingredient to derive new results in the bounded- (quantum)- 
storage model and in quantum key distribution [7]. 

The paper is organized as follows. We start with some quantum-information- 
theoretic notation and definitions. The new randomness-extraction result is pre- 
sented in Section [3] and proven in Section 01 The two applications discussed are 
given in Sections [5] and [H 

2 Preliminaries 

2.1 Notation and Terminology 

A quantum system is described by a complex Hilbert space Ha (in this paper 
always of finite dimension) . The state of the system is given by a density matrix: 
a positive semi-definite operator pa on Ha with trace tr (pa) = 1. We write 
V(Ha) for the set of all positive semi-definite operators on Ha, and we call 
Pa £ V(Ha) normalized if it has trace 1, i.e., if it is a density matrix. For a 
density matrix pab £ P(Ha ®Hb) of a composite quantum system Ha ®Hb, 
we write ps = ti a(pab) for the state obtained by tracing out system Ha- A 
density matrix pxb £ P(Hx ®Hb) is called classical on Hx with X £ X, if 
it is of the form pxs — J2 X Px(x)\x)(x\ ® p x B with normalized p x B £ P(Hb), 
where {|a;)} :!:e ^ forms an orthonormal basis oiHx- Such a density matrix pxB 
which is classical on Hx can be viewed as a random variable X with distribution 
Px together with a family {p B } x <=x of conditional density matrices, such that 
the state of Hb is given by p x B if and only if X takes on the value x. We can 
introduce a new random variable Y which is obtained by "processing" X, i.e., by 
extending the distribution Px to a consistent joint distribution Pxy ■ Doing so 
then naturally defines the density matrix pxyb = J2 X y Pxy{%, y)\x){x\^\y)(y\® 
p%, and thus also the density matrix p YB = ^x{pxyb) = J2 y ^V(y)|j/)(y| ® 
( ^2 X P x \Y( x \y)PB) ■ If the meaning is clear from the context, we tend to slightly 
abuse notation and write the latter also as pys — Y^ y PY{y)\y){y\ <£> Ps, i-e., 
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understand p v B as ^2 X Px\y(. x \v)Pb- Throughout, we write 1 for the identity 
matrix of appropriate dimension. 



2.2 Distance and Entropy Measures for Quantum States 

We recall some definitions from [52]. Let pxb € V(Hx ® Hb)- Although the 
following definitions make sense (and are defined in [22]) for arbitrary pxb, we 
may assume pxb to be normalized 1 and to be classical on Tix- 

Definition 2.1. The Li-distance from uniform of pxb given B is defined by 

d(pxB\B) := \\pxB - Pu ® Pb\\i = tr(\p X B - pu <8> 

where pjj := dim ^ x s 1 is f/ie /WZy mixed state on Tlx ond \A\ ■= V A is the 
positive square root of A^ A (where A' is the complex- conjugate transpose of A). 

If Pxb is classical on Hx, then d(pxB\B) = if and only if X is uniformly 
distributed and p x B does not depend on x, which in particular implies that 
no information on X can be learned by observing system Hb- Furthermore, if 
d(pxB\B) < e then the real system pxs "behaves" as the ideal system pu ® pb 
except with probability e in that for any evolution of the system no observer can 
distinguish the real from the ideal one with advantage greater than e [2"5] . 



Definition 2.2. The collision-entropy and the min-entropy of pxb relative to 
a normalized and invertible ob € V(Hb) ar ^ defined by 

H2(pxb\(Jb) :=-logtr <g> <j b 1/4 ) p XB (1 ® <7 B 1/4 )) ^ 

= - log J2 p x {*? tr ( (o- B 1/4 p x B * B 1/4 ) 2 ) and 

j/o 1 /2 \ 

(1 <8> (T B ) pxB (1 ® (T B )\ 

= -logmax \rn ax (Px(x) Vg 1 ^ p B 0~ B 1/2 ^ , 

respectively, where A max (-) denotes the largest eigenvalue of the argument. The 
collision-entropy and the min-entropy of pxb given TL B are defined by 

H. 2 (pxb\B) := supR 2 (pxb\o-b) and H 00 (px. B |.B) := supH^/JxBk-Er) 

O B & B 

respectively, where the supremum ranges over all normalized a B € V(Ti. B ). 

1 For a non-normalized Pxb, there is a normalizing 1/ tr(pxs)-factor in the definition 
of collision-entropy. Also note that tr(a _1/ ' 2 /9(7 _1/ ' 2 ) = tr(pa _1 ) for any invertible a. 
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Note that without loss of generality, the supremum over <tb can be restricted 
to the set of normalized and invertible states gb which is dense in the set of 
normalized states in V(H.b)- Note furthermore that it is not clear, neither in 
the classical nor in the quantum case, what the "right" way to define condi- 
tional collision- or min-entropy is, and as a matter of fact, it depends on the 
context which version serves best. An alternative way to define the collision- 
and min-entropy of pxb given Hb would be as H 2 (/Oxb|^) : = ^(pxbIpb) an d 
Hoo(pxb\B) '■= H 00 {pxb\pb)- For a density matrix pxy that is classical on Hx 
and Hy, it is easy to see that U 2 {pxy\Y) = - log J2 y Py{y) Y. x p x\Y(x\y) 2 , 
i.e., the negative logarithm of the average conditional collision probability, and 
Hoo(pxy\Y) = — logmax^y Px\Y(x\y), i.e., the negative logarithm of the maxi- 
mal conditional guessing probability. These notions of classical conditional collision- 
and min-entropy are commonly used in the literature, explicitly (see e.g. |24I6| ) 
or implicitly (as e.g. in [5])- We stick to Definition [22] because it leads to stronger 
results, in that asking H2(pxb\B) to be large is a weaker requirement than ask- 
ing ^2{pxb\B) to be large, as obviously B.2{pxb\B) > ^(pxslB), and similarly 
for the min-entropy. 

3 The New Randomness-Extraction Result 

We start by recalling the definition of a (5-biased random variable and of a 5- 
biased family of random variables [20111] . 

Definition 3.1. The bias of a random variable A, with respect to a £ {0, 1}™, 
is defined as 



and A is called (5-biased if bias a (A) < S for all non-zero a £ {0, 1}™. A family 
of random variables {Ai}i e j over {0, 1}™ is called J-biased if, for all a/:0, 



where the expectation is over a i chosen uniformly at random from X. 

Note that by Jensen's inequality, Ei < _x[bias a (A i )] < 5 for all non-zero a is 
a necessary (but not sufficient) condition for {Ai} ie x to be 5-biased. In case 
though the family consists of only one member, then it is (5-biased if and only if 
its only member is. 

Our main theorem states that if {^4i}iei is (5-biased for a small (5, and if 
an adversary's conditional entropy B.2(pxb\B) on a string X S {0, 1}" is large 
enough, then masking X with Ai for a random but known i gives an essentially 
random string. 



bias Q (A) := ^ P A (a)(-ir a = 2(P[a-A = l] - ±) , 



a 
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Theorem 3.2. Let the density matrix pxb € 'P{TLx ®'Hb) be classical on Tlx 
with X £ {0,1}™. Let {Ai}i £ x be a S-biased family of random variables over 
{0, l} n , and let L be uniformly and independently distributed over X. Then 

d{p (Al(SX )Bi\Bl) < S ■ 2-^(^l B )-«). 

By the inequalities 

HqoPO - logdim(W B ) < R^pxbIB) < R 2 ( P xb\B) , 

proven in [22| , Theorem 13.21 may also be expressed in terms of conditional min- 
entropy H qo (pxb\B) or in terms of classical min-entropy of X minus the size 
of the quantum state (i.e. the number of qubits). If B is the "empty" quantum 
state, i.e., logdim(7Ys) = 0, then Theorem 13.21 coincides with Lemma 4 of pTj . 
Theorem 13.21 also holds, with a corresponding normalization factor, for non- 
normalized operators, from which it follows that it can also be expressed in 
terms of the smooth conditional min-entropy R^IpxbIB), as defined in [52], as 
d(p {Al@X )Bi\BI) < 2 £ + «5.2-5( H »(P*B|B)-n). 

4 The Proof 

We start by pointing out some elementary observations regarding the Fourier 
transform over the hypercube. In particular, we can extend the Convolution 
theorem and Parseval's identity to the case of matrix-valued functions. Further 
properties of the Fourier transform (with a different normalization) of matrix- 
valued functions over the hypercube have recently been established by Bcn- 
Aron, Regev and de Wolf In Section FOI we introduce and recall a couple of 
properties of the L2-distance from uniform. The actual proof of Theorem 13.21 is 
given in Section fQl 

4.1 Fourier Transform and Convolution 

For some fixed positive integer d, consider the complex vector space M.T of 
all functions M : {0, 1}™ — * C dxd . The convolution of two such matrix-valued 
functions M, N £ M.T is the matrix-valued function 

M*N : ih Y^-M (y)N(x - y) 
v 

and the Fourier transform of a matrix-valued function M £ M.T is the matrix- 
valued function 

$(M) : a ^ 2- n ' 2 ^{-l) a - x M{x) 

X 

where a ■ x denotes the standard inner product modulo 2. Note that if X is 
a random variable with distribution Px and M is the matrix-valued function 
x i — ► Px{x) ■ 1, then 

3(M)(a) = 2- n / 2 ■ bias Q (X) ■ 1 . 
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The Euclidean or L2-norm of a matrix-valued function M £ M.T is given by 
|||M||| 2 := ^tr(]TM(*)tAf(x)) 

where M(xy denotes the complex-conjugate transpose of the matrix M(x). 2 

The following two properties known as Convolution Theorem and Parseval's 
Theorem are straightforward to prove (see Appendix [~A"|) . 

Lemma 4.1. For all M, N £ MT: 

ff(M * N) = T' 2 ■ S(M) • $(N) and B(M)\j 2 = |||M||| 2 . 



4.2 The ^-Distance from Uniform 

The following lemmas together with their proofs can be found in [55]. Again, 
we restrict ourselves to the case where pxb and o\b are normalized and pxb is 
classical on X, whereas the claims hold (partly) more generally. 

Definition 4.2. Let pxb G Vi^Hx ® "Hb) an d &b € V(Hb)- Then the condi- 
tional Li-distance from uniform of Pxb relative to o~b is 

d 2 {pxB\o B ) ■= tr (((1 <g> (J b 1/4 )(pxb - P£/ <8 p B )(l ® ct b 1/4 )) 2 ^) , 

where pu '■— dim ^ Hx ^ 1 * s ^ e mixed state on Jix- 

Lemma 4.3. Let pxs € V(Hx <8> Wb). Then, for any normalized ob £ V(H.b), 
d{p X B\B) < \J dim (7Y X ) V^G^bRb) . 

Lemma 4.4. Lef pxs € T J (Tix <8> &e classical on Tlx with X £ X , and let 
p x B be the corresponding normalized conditional operators. Then, for any <jb £ 
V{H B ) 

d,{pxB\a B ) = £> ((a B 1/4 Px(*VW /4 ) 2 ) - |4tr ((- B 1/4 /W /4 ) 2 ) . 

4.3 Proof Theorem [3721 

Write A = Ai 9 -X and Dj = Ai® X. Since pujs/ = ^ X« Pd z b ® = 
WtYliPDiB ® I*X*Ij an< ^ similar for ps/, it follows that the Li-distance from 
uniform can be written as an expectation over the random choice of i from T. 
Indeed 

d(p Dl Bi\BI) = t— tr(j ^2(p Di B - Pu® Pb) ® KX^'I ) 



2 We will only deal with Hermitian matrices M(x) where |||M|||2 — Jtr M(x) 2 ). 
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jY| Yl tT (\ PD ' B ~ Pu ® PB \) = ]Y| Yl d ( pD i B \ B } = ~®i^z[d(pDiB\B)] 



where the second equality follows from the block-diagonal form of the matrix. 
With Lemma I4.3( the term in the expectation can be bounded in terms of the 
Z^-distance from uniform, that is, for any normalized ob € V{TLb), 



d(p DlBI \BI)<VZ"~Ei^i Vd2(pD lB \<J B ) < 2 ,i/2 v /E^i[d 2 ( j o Dii jks 



where the second inequality is Jensen's inequality. By Lemma 14. 4[ we have for 
the ^-distance 



<12{pd,b\vb) 



= tt (l>B 1/4 P A -B 1/4 ) 2 ) - ^ tr ((^ 



PBCT B ) 



(1) 



Note that 



P 1?i (d)4 = P /3i (d)^P X | 0< ( ; r|rf)^ = ^P XDi ( a; ,dK 

X X 

= ^P X A i {x,d®x)p x B = ^P x {x)PaM® x )Pb 

X X 

so that the first term on the right-hand side of {TJ can be written as 
tr (^(a-^PoMpi-B 1 ^ 

The crucial observation now is that the term that is squared on the right side is 
the convolution of the two matrix- valued functions M : x h- > Px {x)cr^ pB&g 1 
and N : x i— > P 1 4 i (a;)l, and the whole expression equals ||M * Nf 2 ,- Thus, using 
Lemma |4~T1 we get 



M £(** PdMpbVb ' T ) = 111^*^1111 = |ff(M*JV)0 



= |2«/ 2 . m) ■ mm = 2- tr (^MXaxwwfj (2) 

= -L tr ((, B 1/4 Ps , B 1/4 ) 2 ) + tr I £ m )(a f bias a (^) 2 I , 

\a#0 / 
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where the last equality uses 

m)(0) = 2- /2 £ Px(x)* B 1/4 P B ^ 1/4 = 2-/V- 1 / 4 PB 

X 

as well as 

ff(iV)(0) = 2-"/ 2 £ J P. 4i (a;)l = 2-"/ 2 l and $(N)(a) = T 71 !" 1 ■ bias a (^)l . 
Substituting @ into (HJ) gives 

da^flkfl) = tr £^(M)(a) 2 bias Q (A l 

Using the linearity of the expectation and trace, and using the bound on the 
expected square-bias, we get 

^x[d 2 { PD%B \a B )\ <£ 2 tr(^S(Af)(a) 2 ] < 5 2 tr 3 r (M)(a) 

= ^III5(M)||| 2 = S 2 \lMg = ^ 2 £tr (j^W* ^ a^ 4 ) 2 
= <5 2 2~ H2 ('' x - B 
where the second inequality follows because of 

tr(£(M)(0) 2 ) = 2-"tr((a B 1/4 p B a B 1/4 ) 2 ) > 0. 

Therefore, 

d{ PDl Bi\BI) < 2 n / 2 ^^ x [d 2 (p DiB \a B )] < S ■ 2-J( H »("«l«)- n ) 

and the assertion follows from the definition of H-2(pxb\B) because a B was 
arbitrary. □ 

5 Application I: Entropic Security 

Entropic security is a relaxed but still meaningful security definition for (information- 
thcoretically secure) encryption that allows to circumvent Shannon's pessimistic 
result, which states that any perfectly secure encryption scheme requires a key 
at least as long as the message to be encrypted. Entropic security was introduced 
by Russell and Wang [25] , and later more intensively investigated by Dodis and 
Smith [12] . Based on our result, and in combination with techniques from |12j . 
we show how to achieve entropic security against quantum adversaries. We would 
like to stress that in contrast to perfect security e.g. when using the one-time- 
pad, entropic security does not a priori protect against a quantum adversary. 
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Informally, entropic security is defined as follows. An encryption scheme is 
entropically secure if no adversary can obtain any information on the message M 
from its ciphertext C (in addition to what she can learn from scratch) , provided 
the message M has enough uncertainty from the adversary's point of view. The 
impossibility of obtaining any information on M is formalized by requiring that 
any adversary that can compute f(M) for some function / when given C, can 
also compute f(M) without C (with similar success probability). A different 
formulation, which is named indistinguishability, is to require that there exists 
a random variable C, independent of M, such that C and C are essentially 
identically distributed. It is shown in [12] , and in [8] for the case of a quantum 
message, that the two notions are equivalent if the adversary's information on 
M is classical. In recent work, Desrosiers and Dupuis proved this equivalence to 
hold also for an adversary with quantum information [5] . 

The adversary's uncertainty on M is formalized, for a classical (i.e. non- 
quantum) adversary, by the min-entropy H 00 (M|V = u) (or, alternatively, the 
collision-entropy) of M, conditioned on the value v the adversary's view V takes 
on. We formalize this uncertainty for a quantum adversary in terms of the quan- 
tum version of conditional min- or actually collision-entropy, as introduced in 
Section O 

Definition 5.1. We call a (possibly randomized) encryption scheme E : JC x 
M. — > C (t, e)-quantum-indistinguishable if there exists a random variable C 
over C such that for any normalized pmb 6 P(Hm ® Wb) which is classical on 
TLm with M £ M and H2(pmb\B) > t, we have that 

\\pe{km)b - Pc ® Pb\\ 1 < e, 

where K is uniformly and independently distributed over JC. 

Note that in case of an "empty" state B, our definition coincides with the indis- 
tinguishability definition from [12j (except that we express it in collision- rather 
than min-entropy). 

Theorem 13.21 with I = {i Q } and A io — K, immediately gives a generic 
construction for a quantum-indistinguishable encryption scheme (with C being 
uniformly distributed). Independently, this result was also obtained in [S]. 

Theorem 5.2. Let K, C {0,1}" be such that the uniform distribution K over 
K, is 6-biased. Then the encryption scheme E : K, x {0, 1}" — > {0, 1}" with 
E(k, m) = k © m is (t, e)- quantum-indistinguishable with e = 8 ■ 2~ . 

Alon et al. [T] showed how to construct subsets JC C {0,1}™ of size \JC\ = 
0(n 2 /S 2 ) such that the uniform distribution K over JC is 5-biased and elements 
in JC can be efficiently sampled. With the help of this construction, we get the 
following result, which generalizes the bound on the key-size obtained in |12j to 
the quantum setting. 

Corollary 5.3. For any e > and < t < n, there exists a (t,e)- quantum- 
indistinguishable encryption scheme encrypting n-bit messages with key length 
£ = log|/C| =n-t + 21og(n)+21og(§)+0(l). 
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In the language of extractors, denning a (t, e)- quantum extractor in the natural 
way as follows, Corollary [57j2 translates to Corollary [575] below. 

Definition 5.4. A function E : J x X — > {0, l} m is called a (t,e)-weak quan- 
tum extractor if d{pE(j,x)B\B) < e i an d a (t, e)-strong quantum extractor if 
d{pE(j,x)jB\J B) < e for any normalized pxB <= V(7ix <8> 'Hb) which is clas- 
sical on TLx with X G X and H2(pxb\B) > i, and where J is uniformly and 
independently distributed over J . 

Corollary 5.5. For any e > and < t < n, there exists a (t, e)-weak quantum 
extractor with n-bit output and seed length I — log |/C| = n — t + 21og(n) + 
21og(i)+0(l). 

6 Application II: Private Error Correction 

Consider the following scenario. Two parties, Alice and Bob, share a common 
secret key K. Furthermore, we assume a "random source" which can be queried 
by Alice and Bob so that on identical queries it produces identical outputs. In 
particular, when Alice and Bob both query the source on input K, they both 
obtain the same "raw key" X 6 {0, 1}™. We also give an adversary Eve access to 
the source. She can obtain some (partial) information on the source and store it 
possibly in a quantum state pz- However, we assume she has some uncertainty 
about X, because due to her ignorance of K, she is unable to extract "the right" 
information from the source. Such an assumption of course needs to be justified in 
a specific implementation. Specifically, we require that H^px k z\K Z) is lower 
bounded, i.e., Eve has uncertainty in X even if at some later point she learns K 
but only the source has disappeared in the meantime. 

Such a scenario for instance arises in the bounded-storage model [1913] (though 
with classical Eve), when K is used to determine which bits of the long random- 
izer Alice and Bob should read to obtain X, or in a quantum setting when Alice 
sends n qubits to Bob and K influences the basis in which Alice prepares them 
respectively Bob measures them. 

In this setting, it is well-known how to transform by public (authenticated) 
communication the weakly-secure raw key X into a fully secure key S: Alice 
and Bob do privacy amplification, as shown in 14 5j in case of a classical Eve, 
respectively as in |23l22j in case of a quantum Eve. Indeed, under the above 
assumptions on the entropy of X, privacy amplification guarantees that the 
resulting key S looks essentially random for Eve even given K. This guarantee 
implies that S can be used, say, as a one-time-pad encryption key, but it also 
implies that if Eve learns 5*, she still has essentially no information on K, and 
thus K can be safely re-used for the generation of a new key S. 

Consider now a more realistic scenario, where due to noise or imperfect mea- 
surements Alice's string X and Bob's string X' are close but not exactly equal. 
There are standard techniques to do error correction (without giving Eve too 
much information on X): Alice and Bob agree on a suitable error-correcting code 
C, Alice samples a random codeword C from C and sends Y = X © C to Bob, 
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who can recover X by decoding C = Y © X' to the nearest codeword C and 
compute X = Y C. Or equivalently, in case of a linear code, Alice can send 
the syndrome of X to Bob, which allows Bob to recover X in a similar man- 
ner. If Eve's entropy in X is significantly larger than the size of the syndrome, 
then one can argue that privacy amplification still works and the resulting key 
S is still (close to) random given Eve's information (including the syndrome) 
and K . Thus, S is still a secure key. However, since X depends on K, and the 
syndrome of X depends on X , the syndrome of X may give information on K to 
Eve, which makes it insecure to re-use K . A common approach to deal with this 
problem is to use part of S as the key K in the next session. Such an approach 
not only creates a lot of inconvenience for Alice and Bob in that they now have 
to be stateful and synchronized, but in many cases Eve can prevent Alice and 
Bob from agreeing on a secure key S (for instance by blocking the last message) 
while nevertheless learning information on K, and thus Eve can still cause Alice 
and Bob to run out of key material. 

In [11] , Dodis and Smith addressed this problem and proposed an elegant 
solution in case of a classical Eve. They constructed a family of codes which 
not only allow to efficiently correct errors, but at the same time also serve as 
randomness extractors. More precisely, they show that for every < A < 1, 
there exists a family {Cj}j^j of binary linear codes of length n, which allows 
to efficiently correct a constant fraction of errors, and which is 5-biased for 
5 < 2~ A ™/ 2 . The latter is to be understood that the family {Cj}j^j of random 
variables, where Cj is uniformly distributed over Cj, is (S-biased for 5 < 2~ An / 2 . 
Applying Lemma 4 of [11] (the classical version of Theorem 13 . 2[) implies that 
Cj®X is close to random for any X with large enough entropy, given j. Similarly, 
applying our Theorem 13.21 implies the following. 

Theorem 6.1. For every < A < 1 there exists a family {Cj}j e j of binary 
linear codes of length n which allows to efficiently correct a constant fraction 
of errors, and such that for any density matrix pxb <= r P(7ix 8%) which is 
classical on Hx with X € {0, 1}" and H2{pxb\B) > t, it holds that 



where J is uniformly distributed over J and Cj is uniformly distributed over 



Using a random code from such a family of codes allows to do error correction 
in the noisy setting described above without leaking information on K to Eve: 
By the chain rule [35J Sect. 3.1.3], the assumed lower bound on H^pxKzlKZ) 
implies a lower bound on H^^pxskzgISK ZG) (essentially the original bound 
minus the bit length of S) , where G is the randomly chosen universal hash func- 
tion used to extract S from X. Combining systems S, K, Z and G into system 
B, Theorem 16.11 implies that P(Cj®x)SKZGJ ~ ^rl ® Pskzgj- From standard 
privacy amplification follows that pskzgj ~ ^rl ® Pkzgj- Using the indepen- 
dence of K,G,J (from Z and from each other), we obtain P{Cj®x)skzgj ~ 




Cj- 
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■^1 ® -^1 ® Pk ® Pz ® Pg ® Pj- This in particular implies that S is a secure 
key (even when K is given to Eve) and that K is still "fresh" and can be safely 
re-used (even when S is additionally given to Eve). 

Specifically, our private-error-correction techniques allow to add robustness 
against noise to the bounded-storage model in the presence of a quantum attacker 
as considered in [17] , without the need for updating the common secret key. The 
results of [17j guarantee that the min-entropy of the sampled substring is lower 
bounded given the attacker's quantum information and hence, security follows as 
outlined above. Furthermore, in [7] the above private-error-correction technique 
is an essential ingredient to add robustness against noise but also to protect 
against man-in-the-middle attacks in new quantum-identification and quantum- 
key-distribution schemes in the bounded-quantum-storage model. 

In the language of extractors, we get the following result for arbitrary, not 
necessarily efficiently decodable, binary linear codes. 

Corollary 6.2. Let {Cj}j^j be a 5 -biased family of binary linear [n, fc, decodes. 
For any j € J , let Gj be a generator matrix for the code Cj and let Hj be a 
corresponding parity-check matrix. Then E : J x {0, 1}" — > {0, l}"~ fc 7 (J, x) i— > 
HjX is a (t,e) -strong quantum extractor with e = 5 ■ 22'""*'. 

This result gives rise to new privacy-amplification techniques, beyond using 
universal hashing as in [53] or one-bit extractors as in [T5]. Note that using 
arguments from [TTj . it is easy to see that the condition that {Cj}j^j is 5-biased 
and thus the syndrome function Hj is a good strong extractor, is equivalent 
to requiring that {Gj}j^j seen as family of (encoding) functions is <5 2 -almost 
universal [30|28j . 

For a family of binary linear codes {Cj}jej, another equivalent condition for 
5-bias of {Cj}jej is to require that for all non-zero a, Pij e j[a G Cj-\ < S 2 , 
i.e. that the probability that a is in the dual code of Cj is upper bounded by 5 2 
pTj . It follows that the family size \J\ has to be exponential in n to achieve an 
exponentially small bias S and therefore, the seed length log \J\ of the strong 
extractor will be linear in n as for the case of two-universal hashing. 

7 Conclusion 

We proposed a new technique for randomness extraction in the presence of a 
quantum attacker. This is interesting in its own right, as up to date only very few 
extractors are known to be secure against quantum adversaries, much in contrast 
to the classical non-quantum case. The new randomness-extraction technique 
has various cryptographic applications like entropically secure encryption, in 
the classical bounded-storage model and the bounded-quantum-storage model, 
and in quantum key distribution. Furthermore, because of the wide range of 
applications of classical extractors not only in cryptography but also in other ar- 
eas of theoretical computer science, we feel that our new randomness-extraction 
technique will prove to be useful in other contexts as well. 
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A Proof of Lemma 14.11 

Concerning the first claim, 

S(M * N)(a) = ^ J2(~ 1 ) a ' X E M(y)N(x © y) 

x y 



1G 



= 2-"/ 2 ^(-1)°^ M(y) J2(-l) a < x ®^N(x © y) 

V x 

y z 
= 2"/ 2 -y(M)( a )^(7V)( a ). 

The second claim is argued as follows. 

= 2-™ tr ( M( x y M(x')^2(~l) a < x(Bx 'A 

^ ie.ie' « 7 

= tr ( ^M(x) f M(x) 



where the last equality follows from the fact that l) Q ' y = 2™ if y = 

(0, . . . , 0) and otherwise. □ 



17 



